Thursday, February 28, 2019
Sharing For Later Contemplation
https://blog.senr.io/blog/the-insecurity-of-industrial-control-systems
Relevant to Previous Post
Discusses attacks targeting the DNS infrastructure.
https://www.securityweek.com/warning-issued-over-attacks-internet-infrastructure
Computing - the Internet, Cont.
I used the postal service to describe how information gets routed on the internet, but that doesn't quite explain what goes on when you type a URL in a browser.
A couple of points need to be made here - we remember names better than numbers, but computers run on numbers. Binary, to be exact.
When we put 'www.google.com' into a browser, we are sending a request to whatever computer hosts the file for that site, and asking them to send us the file.
However, it's a bit like putting 'New York, NY' on the letter... and then the post office asks us for the full and complete zip code, to include the final four digits (the zip might be 10004-1007) In computing, that's actually the IP address... which is really just a fancy way of making all the 1s and 0s a little more human readable. (254.171.170.75 is just a fancy way of saying 111111101010101110101010010010111 by breaking the binary into groups of eight and converting to decimal. Since 11111111 is 255 in decimal, each grouping can store a number between 0 and 255. They started running out of numbers as the internet boomed, and came up with a few workarounds to help extend the system for a little while, but ultimately came up with IPv6 - or Internet Protocol version 6 - as a better solution. IPv6 numbers are in hexadecimal, so you'll see something like FE80:CD00:0000:0CDE:1257:0000:211E:729C, which is again a fancy way of organizing a string of 1's and 0's)
So the computer needs a number, and the address you entered is not it. So the computer has to have a way of looking up what number is associated with that address, sort of like my zip code finder above.
In computers, the entire process relies on what's called a Domain Name Server, or DNS. Most of what you can find online likes to describe DNS as something like a telephone book, but I used zip code for a reason.
Let's say you go to the USPS zip code finder and enter an address in New York, NY... but someone's hacked that site, and it gives you the zip code 92101-1007. The post office routes it off the zip code, so that letter is going to San Diego, CA. You may have intended to send it to New York, but there's this thing called 'DNS poisoning' where hackers will give your computer an address that isn't the one you intended. If they're really good, they'll even make the site look exactly like the site you expected. It's just, well, it might record your login information or trick you into downloading something malicious.
So you entered an address in your browser, and your computer looks up the number associated with that address. It then sends out the letter(s) to your destination, asking for the web page. Your destination receives your request and serves a response, sending a stream of letters back to you.
That's a very rough idea of what's going on, and I'll dig into it a bit more...
Another time. I've been messing around creating VMs (virtual machines) this morning (CentOS installed fine, but why oh why does my Ubuntu say there was an unresolvable error? Ugh! And I need to find out if I have any old Windows software lying around. Even though I'm just creating some VMs to practice my skills with, virtual machines are computers in their own right. They use the keyboard, mouse, CPU, display screen, etc. that the physical computer does. See, your CPU is amazingly powerful... and if you're not using it, it sits idle. Once you've downloaded that webpage and sit there reading it, there's not really a lot for your CPU to do. Some genius realized that you can make computing more efficient if you kept that CPU humming... so putting multiple virtual computers on one physical computer was one way of doing that - and provided some additional layers of security and whatnot. Anyways, I'm not really intending to use the VM as a Windows XP or Windows 7 machine, but it could be used that way and the software is proprietary.)
Anyways, I don't really feel like delving further into internet basics.
A couple of points need to be made here - we remember names better than numbers, but computers run on numbers. Binary, to be exact.
When we put 'www.google.com' into a browser, we are sending a request to whatever computer hosts the file for that site, and asking them to send us the file.
However, it's a bit like putting 'New York, NY' on the letter... and then the post office asks us for the full and complete zip code, to include the final four digits (the zip might be 10004-1007) In computing, that's actually the IP address... which is really just a fancy way of making all the 1s and 0s a little more human readable. (254.171.170.75 is just a fancy way of saying 111111101010101110101010010010111 by breaking the binary into groups of eight and converting to decimal. Since 11111111 is 255 in decimal, each grouping can store a number between 0 and 255. They started running out of numbers as the internet boomed, and came up with a few workarounds to help extend the system for a little while, but ultimately came up with IPv6 - or Internet Protocol version 6 - as a better solution. IPv6 numbers are in hexadecimal, so you'll see something like FE80:CD00:0000:0CDE:1257:0000:211E:729C, which is again a fancy way of organizing a string of 1's and 0's)
So the computer needs a number, and the address you entered is not it. So the computer has to have a way of looking up what number is associated with that address, sort of like my zip code finder above.
In computers, the entire process relies on what's called a Domain Name Server, or DNS. Most of what you can find online likes to describe DNS as something like a telephone book, but I used zip code for a reason.
Let's say you go to the USPS zip code finder and enter an address in New York, NY... but someone's hacked that site, and it gives you the zip code 92101-1007. The post office routes it off the zip code, so that letter is going to San Diego, CA. You may have intended to send it to New York, but there's this thing called 'DNS poisoning' where hackers will give your computer an address that isn't the one you intended. If they're really good, they'll even make the site look exactly like the site you expected. It's just, well, it might record your login information or trick you into downloading something malicious.
So you entered an address in your browser, and your computer looks up the number associated with that address. It then sends out the letter(s) to your destination, asking for the web page. Your destination receives your request and serves a response, sending a stream of letters back to you.
That's a very rough idea of what's going on, and I'll dig into it a bit more...
Another time. I've been messing around creating VMs (virtual machines) this morning (CentOS installed fine, but why oh why does my Ubuntu say there was an unresolvable error? Ugh! And I need to find out if I have any old Windows software lying around. Even though I'm just creating some VMs to practice my skills with, virtual machines are computers in their own right. They use the keyboard, mouse, CPU, display screen, etc. that the physical computer does. See, your CPU is amazingly powerful... and if you're not using it, it sits idle. Once you've downloaded that webpage and sit there reading it, there's not really a lot for your CPU to do. Some genius realized that you can make computing more efficient if you kept that CPU humming... so putting multiple virtual computers on one physical computer was one way of doing that - and provided some additional layers of security and whatnot. Anyways, I'm not really intending to use the VM as a Windows XP or Windows 7 machine, but it could be used that way and the software is proprietary.)
Anyways, I don't really feel like delving further into internet basics.
Seems a Decent Summary of Cohen Testimony
https://www.lawfareblog.com/cohen-silence-breaks-what-make-wednesdays-testimony
Wednesday, February 27, 2019
Thought Provoking
When predicting enemy Courses of Action (COA) we were always supposed to look for what's most likely and most dangerous COAs. It helps to make sure you're ready in case the worst actually does happen.
I don't know nearly enough about Russia to say whether this prediction is true, but in terms of a 'most dangerous COA' it seems worth considering. Even if nothing of note happens, what could happen and do we have any countermeasures in place?
Check out @J_amesp’s Tweet: https://twitter.com/J_amesp/status/1094840317277282309?s=09
Article on Black Market Value for Hackers
https://www.securityweek.com/cybercriminals-promise-millions-skilled-black-hats-report
Computing - the Internet
I'm feeling rather proud of myself. After a conversation with someone yesterday, I installed ESXi on my home built computer. I was concerned at first, as it wasn't connecting to the internet... but then I realized that I didn't have a physical ethernet cable plugged in and had been relying on the wireless NIC. I plugged the cable in this morning, and it's working fine. I even managed to access it from another computer. So now I'm downloading some files necessary for creating virtual machines, so I can try creating a virtual lab to mess around in.
Anyways. Today I wanted to talk a bit about the internet. The usual place to start is with a rather technical discussion, but I'm trying to translate these concepts into everyday language, so I'm going to try something different. Understand that I am vastly oversimplifying some things, and skipping over a lot of detail here.
With that out of the way, let's talk about the internet.
Actually, let's start with something most people are more comfortable with - tracking a package.
Whether it's USPS, DHL, UPS, or Amazon, every carrier will show the progress of a package as it moves from it's source to it's destination. I think most people understand what is going on here without thinking about it too much, either.
That is, the carrier isn't going to send your mail directly from one place to another. There's too much mail going to too many places and if you need that to happen, you'd hire a courier to do the job.
Instead, the post office (and other such carriers) regularly carry mail to nearby facilities, and will route everything they receive to the facility best suited for sending that mail on to it's final destination. As you can see in the picture above, the package goes from Chicago to Indianapolis before going to Fort Wayne. Indianapolis is a bit further south than Fort Wayne, so routing it this way added a bit more time than sending it directly to Fort Wayne, but there probably isn't enough mail going to straight to Fort Wayne to warrant a direct connection... so Indy was the closest place along the way (and much closer then sending the mail to St. Louis!).
It's all done for the same reason airlines have hubs, and it's difficult to get a flight straight to your destination unless you live at one of those hubs, and are going straight to another hub.
The internet is a bit like that, as well. When you get on an internet browser and put in a location, the page you're looking for is not floating out there in the digital aether. It's sitting on a computer somewhere. (Okay, so it might be sitting on a virtual machine, with twenty other virtual machines... but those are all sitting on a physical machine somewhere. Ultimately, everything you do on the internet is tied to a real, physical place.)
If you want to go see funny cats, and you put https://icanhas.cheezburger.com/lolcats in the browser, that /lolcats indicates a subdirectory where the file is stored, much like you might find a picture by going to C:\Users\Yourname\Pictures.
Your internet browser will send a request for the webpage to the site (called a 'server', since it serves webpages to whoever asks) and that site will send you the information you requested. The browser knows how to read the result and present it to us with all the fonts, colors, and pictures the creator intended.
Although the internet works a bit like the postal service, there are also (numerous) key differences. For one thing, a post office generally stays open for years. Decades even. Carrier routes are somewhat stable, and any significant changes tend to be advertised well in advance.
In contrast, routers may appear and disappear on the internet in the blink of an eye. Someone may add a router in one location, and another might break down and go off the net. So the routers, or 'sorting facilities' of the post office, regularly send out messages to their neighbors going "Are you still there?"
And whenever a new router comes online, it sends out messages to all its neighbors saying "Tadah! I AM HERE!"
The sorting facilities constantly have to update their routing information to take into account any sudden loss of connection, and they have to sense whether their neighbor is getting flooded with mail so they can lighten the load a bit and route things to a different facility.
There are other differences as well, such as size limits. If you wanted to send a letter, or mail a package, most of the time you can do it all at once. And when you send it, you can send it off and forget about it, relying on the carrier to get it where it needs to be. (Like UDP, an internet protocol that fires and forgets.)
That won't work for certain things, though I'm editing to say video is UDP, because waiting for confirmation slows it down too much. Web pages and file transfers are TCP, since you want to make sure everything arrives.
Anyways. Today I wanted to talk a bit about the internet. The usual place to start is with a rather technical discussion, but I'm trying to translate these concepts into everyday language, so I'm going to try something different. Understand that I am vastly oversimplifying some things, and skipping over a lot of detail here.
With that out of the way, let's talk about the internet.
Actually, let's start with something most people are more comfortable with - tracking a package.
Whether it's USPS, DHL, UPS, or Amazon, every carrier will show the progress of a package as it moves from it's source to it's destination. I think most people understand what is going on here without thinking about it too much, either.
That is, the carrier isn't going to send your mail directly from one place to another. There's too much mail going to too many places and if you need that to happen, you'd hire a courier to do the job.
Instead, the post office (and other such carriers) regularly carry mail to nearby facilities, and will route everything they receive to the facility best suited for sending that mail on to it's final destination. As you can see in the picture above, the package goes from Chicago to Indianapolis before going to Fort Wayne. Indianapolis is a bit further south than Fort Wayne, so routing it this way added a bit more time than sending it directly to Fort Wayne, but there probably isn't enough mail going to straight to Fort Wayne to warrant a direct connection... so Indy was the closest place along the way (and much closer then sending the mail to St. Louis!).
It's all done for the same reason airlines have hubs, and it's difficult to get a flight straight to your destination unless you live at one of those hubs, and are going straight to another hub.
The internet is a bit like that, as well. When you get on an internet browser and put in a location, the page you're looking for is not floating out there in the digital aether. It's sitting on a computer somewhere. (Okay, so it might be sitting on a virtual machine, with twenty other virtual machines... but those are all sitting on a physical machine somewhere. Ultimately, everything you do on the internet is tied to a real, physical place.)
If you want to go see funny cats, and you put https://icanhas.cheezburger.com/lolcats in the browser, that /lolcats indicates a subdirectory where the file is stored, much like you might find a picture by going to C:\Users\Yourname\Pictures.
Your internet browser will send a request for the webpage to the site (called a 'server', since it serves webpages to whoever asks) and that site will send you the information you requested. The browser knows how to read the result and present it to us with all the fonts, colors, and pictures the creator intended.
Although the internet works a bit like the postal service, there are also (numerous) key differences. For one thing, a post office generally stays open for years. Decades even. Carrier routes are somewhat stable, and any significant changes tend to be advertised well in advance.
In contrast, routers may appear and disappear on the internet in the blink of an eye. Someone may add a router in one location, and another might break down and go off the net. So the routers, or 'sorting facilities' of the post office, regularly send out messages to their neighbors going "Are you still there?"
And whenever a new router comes online, it sends out messages to all its neighbors saying "Tadah! I AM HERE!"
The sorting facilities constantly have to update their routing information to take into account any sudden loss of connection, and they have to sense whether their neighbor is getting flooded with mail so they can lighten the load a bit and route things to a different facility.
There are other differences as well, such as size limits. If you wanted to send a letter, or mail a package, most of the time you can do it all at once. And when you send it, you can send it off and forget about it, relying on the carrier to get it where it needs to be. (Like UDP, an internet protocol that fires and forgets.)
That won't work for certain things, though I'm editing to say video is UDP, because waiting for confirmation slows it down too much. Web pages and file transfers are TCP, since you want to make sure everything arrives.
The size limit means your letter might need to be broken down into 20 letters, and those letters might get routed differently... so letter 18 might arrive at its destination before letter 12. And letter 13 might fall into a puddle, and be completely unreadable. The letters have to be sent and received in a timely fashion, and put in order. Otherwise you'll get lag, and bits of the video will be missing.
So you need mechanisms for keeping track of what order the letters were sent, you need to verify that all the letters were actually received correctly (and that any missing letters are resent), and the letters ought to be sealed so that you know if someone got in and tampered with it.
And so on, and so forth. You can get into the nitty gritty details on how this is managed if you want, there are plenty of resources out there.
So you need mechanisms for keeping track of what order the letters were sent, you need to verify that all the letters were actually received correctly (and that any missing letters are resent), and the letters ought to be sealed so that you know if someone got in and tampered with it.
And so on, and so forth. You can get into the nitty gritty details on how this is managed if you want, there are plenty of resources out there.
Tuesday, February 26, 2019
An Update and More on Computing
Someone gave me some advice on setting up a home lab, so I was messing around with my own computers for a bit. I was thinking that if I set up my most powerful computer as a hypervisor (i.e. it can host virtual machines simulating other computers) I can connect to it from my laptop and mess around with it that way.
No news on the job front, alas.
I wanted to talk more about what happens when you surf the net, but first I wanted to say something about hacking. Hacking, btw, is more of a mindset than anything else, a willingness to look at the various tools in place and see the potential for unexpected uses. Sort of like the way Afghans would repurpose solar panels to suit themselves. Anyways, that mindset can be used for both good and bad, but isn't inherently evil. Even though most people nowadays think of 'hackers' as criminals, it's not true.
It takes someone very knowledgeable about computer architecture, programming, and the like to exploit a vulnerability. We were supposed to do this as an assignment in one of my classes, and let me tell you, it was hard. Going back to my earlier post, such a skillset could be compared to a skilled man-at-arms back before guns became a thing. It took years of hard work and practice to become an expert swordsman, and the same goes for expert hackers.
With the power of programming and the ease with which we can copy and share information, a really good hacker can create a program to exploit a vulnerability, and then make infinite copies of that vulnerability. I used wizards and spells in my previous analogy because it seemed a bit more accurate than describing a gunsmith and the mass distribution of automatic rifles.
The knowledge and skills required to be a 'wizard' (or 'hacker') may create a limit, of a sort, on how much trouble they can wreak directly, but the ability to share anything they find means that anyone - even your mother, father, grandmother or grandfather - can conduct a cyber attack. I have come across a few vague articles talking about the criminal business model for such things, and it sounds like there are people hired to conduct attacks who probably don't know much more about computers than anyone not in the computer industry. (So, really, not all cyber attackers have the skills to be a 'hacker'. I think the term I've heard people use for them is 'script kiddie'.)
No news on the job front, alas.
I wanted to talk more about what happens when you surf the net, but first I wanted to say something about hacking. Hacking, btw, is more of a mindset than anything else, a willingness to look at the various tools in place and see the potential for unexpected uses. Sort of like the way Afghans would repurpose solar panels to suit themselves. Anyways, that mindset can be used for both good and bad, but isn't inherently evil. Even though most people nowadays think of 'hackers' as criminals, it's not true.
It takes someone very knowledgeable about computer architecture, programming, and the like to exploit a vulnerability. We were supposed to do this as an assignment in one of my classes, and let me tell you, it was hard. Going back to my earlier post, such a skillset could be compared to a skilled man-at-arms back before guns became a thing. It took years of hard work and practice to become an expert swordsman, and the same goes for expert hackers.
With the power of programming and the ease with which we can copy and share information, a really good hacker can create a program to exploit a vulnerability, and then make infinite copies of that vulnerability. I used wizards and spells in my previous analogy because it seemed a bit more accurate than describing a gunsmith and the mass distribution of automatic rifles.
The knowledge and skills required to be a 'wizard' (or 'hacker') may create a limit, of a sort, on how much trouble they can wreak directly, but the ability to share anything they find means that anyone - even your mother, father, grandmother or grandfather - can conduct a cyber attack. I have come across a few vague articles talking about the criminal business model for such things, and it sounds like there are people hired to conduct attacks who probably don't know much more about computers than anyone not in the computer industry. (So, really, not all cyber attackers have the skills to be a 'hacker'. I think the term I've heard people use for them is 'script kiddie'.)
Monday, February 25, 2019
Computing - Hacking, Buffer Overflows, Etc
I originally planned on going into networking a bit (i.e. what happens when you type something in the internet browser), but I decided it's probably more important to take a step back and discuss hacking.
Hacking, I've come to learn, doesn't necessarily mean anything malicious. It's more about a mindset... about knowing how the system works, and how to manipulate it in order to make it do what you want. Even if what you want was not the original intent.
But what does that mean, really? Well, early programs sort of took it on faith that people would use them the way they were intended... so most programmers didn't code ways of catching such errors.
A lot of programs are interactive - they ask us for our user names, or birthdate, or what our favorite fruit is, or what command we want to give to a character in a computer game.
And here's the thing - the programmer doesn't necessarily know what we're going to type. If it's asking for our favorite fruit, it could be 'apple', or 'banana', or something more obscure like 'jackfruit' or 'starfruit'. The program has to be prepared for whatever we type in...
And sometimes, well... people make mistakes. Typos. They might be asked for their favorite fruit, and instead hit the 'ENTER' key without typing anything. Or accidentally type ap4le. Or bannnana. Or 42.
And sometimes, someone who knows the system very well can deliberately type in something else. For example, the program might have reserved enough space for whatever they consider appropriate for a fruit. Maybe there's enough space to type jackfruit_____ (giving extra room, just in case.)
But what happens if someone types in jackfruit_____gotomyvirus?
It's possible for everything past the buffer, everything past the space reserved for that user in put, to overwrite whatever happened to be at that location. It's still all in binary, of course. So it's as though the computer had said 011001010 and now says 010010110. But if that location was, oh, let's say instructions for the next step of the program... and the new instructions basically tell it to go to another location and run a bit of code that does something malicious (i.e. 'go to my virus'), then congratulations. Your program has a vulnerability that has now been exploited and used to launch a computer virus.
Computers only do what they are told to do, no more and no less. If it thinks a program is telling it to go to a location, it doesn't know that the command was altered... it just follows the instruction and goes to that location. And if that location includes a list of other commands, commands telling it to start a remote trojan that takes over your computer, or secretly record everything you type, or run a program mining for cryptocurrency, or check for orders from another computer and send multiple information requests to a designated website... well, it's just doing what the instructions said.
There are countermeasures, of course. Secure coding practices that check user input for things like this, and/or cut off anything that goes beyond the allotted space.
This also is just one example of a vulnerability, to give readers a sense of how it works.
(It's also just one area of this vast realm we call 'cybersecurity' that I'm interested in. Not so much finding those vulnerabilities and exploiting them - though there are people who make a living finding such things - so much as looking at a virus and figuring out how it does what it does. I think I'd have to set up a virtual machine, get some code I suspect is malicious, and then watch/monitor the actions it takes when it runs. I'd probably need something that breaks down those actions into machine language, and have to understand that language well enough to go looking for where the instructions are altered. Figure out where something is entered to overwrite what was supposed to be in the program and put in new instructions. And it'll look different for the various vulnerabilities, too. Plus there's an ongoing cat and mouse game to this. That is, anti-virus programs can identify sequences of 1's and 0's that indicate something malicious is going on, so hackers sometimes encrypt the virus or alter it on a regular basis so that it looks like something different.
I haven't gotten down into the weeds of this yet. Tbh I'm hesitant to start up my own 'sandbox' and risk infecting my systems if I do something stupid. I'd sort of prefer to know someone already doing this kind of work, and learn from them as much as possible.
I like the idea, though, and may just jump in and start messing around with it at some point. If I break something, well, I'll just have to learn how to fix it afterwards, right? It's just... there are tons of other interesting things to explore, as well!)
Hacking, I've come to learn, doesn't necessarily mean anything malicious. It's more about a mindset... about knowing how the system works, and how to manipulate it in order to make it do what you want. Even if what you want was not the original intent.
But what does that mean, really? Well, early programs sort of took it on faith that people would use them the way they were intended... so most programmers didn't code ways of catching such errors.
A lot of programs are interactive - they ask us for our user names, or birthdate, or what our favorite fruit is, or what command we want to give to a character in a computer game.
And here's the thing - the programmer doesn't necessarily know what we're going to type. If it's asking for our favorite fruit, it could be 'apple', or 'banana', or something more obscure like 'jackfruit' or 'starfruit'. The program has to be prepared for whatever we type in...
And sometimes, well... people make mistakes. Typos. They might be asked for their favorite fruit, and instead hit the 'ENTER' key without typing anything. Or accidentally type ap4le. Or bannnana. Or 42.
And sometimes, someone who knows the system very well can deliberately type in something else. For example, the program might have reserved enough space for whatever they consider appropriate for a fruit. Maybe there's enough space to type jackfruit_____ (giving extra room, just in case.)
But what happens if someone types in jackfruit_____gotomyvirus?
It's possible for everything past the buffer, everything past the space reserved for that user in put, to overwrite whatever happened to be at that location. It's still all in binary, of course. So it's as though the computer had said 011001010 and now says 010010110. But if that location was, oh, let's say instructions for the next step of the program... and the new instructions basically tell it to go to another location and run a bit of code that does something malicious (i.e. 'go to my virus'), then congratulations. Your program has a vulnerability that has now been exploited and used to launch a computer virus.
Computers only do what they are told to do, no more and no less. If it thinks a program is telling it to go to a location, it doesn't know that the command was altered... it just follows the instruction and goes to that location. And if that location includes a list of other commands, commands telling it to start a remote trojan that takes over your computer, or secretly record everything you type, or run a program mining for cryptocurrency, or check for orders from another computer and send multiple information requests to a designated website... well, it's just doing what the instructions said.
There are countermeasures, of course. Secure coding practices that check user input for things like this, and/or cut off anything that goes beyond the allotted space.
This also is just one example of a vulnerability, to give readers a sense of how it works.
(It's also just one area of this vast realm we call 'cybersecurity' that I'm interested in. Not so much finding those vulnerabilities and exploiting them - though there are people who make a living finding such things - so much as looking at a virus and figuring out how it does what it does. I think I'd have to set up a virtual machine, get some code I suspect is malicious, and then watch/monitor the actions it takes when it runs. I'd probably need something that breaks down those actions into machine language, and have to understand that language well enough to go looking for where the instructions are altered. Figure out where something is entered to overwrite what was supposed to be in the program and put in new instructions. And it'll look different for the various vulnerabilities, too. Plus there's an ongoing cat and mouse game to this. That is, anti-virus programs can identify sequences of 1's and 0's that indicate something malicious is going on, so hackers sometimes encrypt the virus or alter it on a regular basis so that it looks like something different.
I haven't gotten down into the weeds of this yet. Tbh I'm hesitant to start up my own 'sandbox' and risk infecting my systems if I do something stupid. I'd sort of prefer to know someone already doing this kind of work, and learn from them as much as possible.
I like the idea, though, and may just jump in and start messing around with it at some point. If I break something, well, I'll just have to learn how to fix it afterwards, right? It's just... there are tons of other interesting things to explore, as well!)
Sunday, February 24, 2019
Computing - Binary, Hex, and Digital Forensics
While job hunting, I'm also working to brush up on/expand my knowledge in certain areas, working towards getting a certification and the like. I was thinking that I should try to put what I know in my own words, to see if I've understood the concepts well enough.
I suppose the best place to start is with binary.
Computing, for most people, is a bit like driving a car. That is, we all know how to put the key in the ignition, start a car, turn the steering wheel (to direct the car), press the accelerator and the brake, select forward or reverse, and so on and so forth... but most people don't necessarily understand what is going on behind the scenes. What happens when you press the brakes, or accelerator, or turn the wheel.
By the same token, we all know how to turn on a computer (or smartphone), how to surf the internet, how to point and click with a mouse or type with a keyboard... but we don't necessarily understand what the computer is doing behind the scenes to make the magic happen. How does it know what a particular mouse click means? Or how to interpret what we type in a keyboard? How does it know what to do when we type a URL in an internet browser?
The very, very basics come down to binary. Most computers use electricity, of course, so it's all tied to electrical signals. On or off. (You can actually create computers using other means, so long as you have some way of indicating 1 or 0... like punch cards, which can be punched or not punched. It's just that electrical signals can be fast, and we can create electrical circuits that do the calculations with a very small amount of space.)
The computer gets a series of 1s and 0s, and it knows how to interpret them based on computer architecture and the efforts of previous computer scientists to build a framework for interpreting a particular sequences of 1s and 0s. In some cases, that series of 1s and 0s might indicate a particular action to take (the machine language of that particular system), or a memory location where the data is stored, or the actual data stored at that location.
Behind the scenes, your computer is processing all sorts of 1s and 0s to store numbers and act on numbers, and it can process thousands of instructions every second.
The words I type here can be coded in binary (ASCII says that certain strings of 1 and 0 refer to specific letters. So the word 'word' can be coded as 01110111 01101111 01110010 01100100.) Again, computers build upon all the work that came before, and things like ASCII were created so we had a consistent way of coding 1s and 0s to indicate letters. (There are other encoding formats, like UTF-8 and UTF-32. Since computers are used for languages that don't use the Roman alphabet, it's important to have codes for all the other possible symbols.)
The machine needs to know how to interpret any particular series of 1's and 0's, whether it indicates a letter, or Chinese character, or number, or instruction, or memory location.
We have problems understanding binary, of course, so we have ways of making this more human readable. (Hexadecimal, or a base-16, can seriously reduce how much space it takes to write binary. We're most familiar with decimal, of course, but using 'A' for 10, 'B' for 11, and so on until you get 'F' for 15 is convenient. It's basically because four binary numbers can be represented by one hexadecimal number. Since computers are often groups in sets of 8, or a byte, two hex characters can represent a byte. So 'word', in hex, is 776F7264. 77 is 'w', 6F is 'o', 72 is 'r', and 64 is 'd'. It's useful for a variety of reasons, and very basic machine instructions are often shown in hex instead of binary because it's easier for humans to understand... just remember that the computer still sees it as a string of 1s and 0s.)
Digital forensics... well. Every file you have is stored somewhere as a series of 1s and 0s, with some additional information (the header, for example) that helps the computer understand what that sequence of numbers means. The header might have a string of 1s and 0s indicating it's a jpg picture, or docx word document, and in hex that header would be 'FF D8 FF E0 00 10 4A 46 49 46 00 01 01' for jpg, or 'D0 CF 11 E0 A1 B1 1A E1' for a .doc file.
When you delete a file, the computer doesn't erase all those 1s and 0s. It just changes a bit (a bit being one digit that's either 1 or 0) to indicate that that space is now free, and if/when you save something else it *might* decide to save it where the old file used to be. (Actually, anyone who has deleted a file to the trash bin knows there's two levels of 'delete'. The first delete makes a small change that puts it in the trash bin, but you can still 'restore' the file as the computer won't try saving anything where that file exists. When you empty the trash bin and 'permanently' delete it, the computer now considers that space fair game.)
That's part of how digital forensics works... it can find the series of 1s and 0s still in existence. If all that was changed was the bit indicating whether the space was available or not, it can undelete the entire file. So long as it's not been written over already. (There's more to it than that. Sometimes something is saved over part of the previous file's data, so you might lose the beginning portion and still be able to understand what the rest of the file held. And if the information was overwritten in a known process, you can reverse the process to recreate what used to be there. I now understand what some of the IT guys in the military were talking about when they digitally 'shred' something... they're basically running a program that repeatedly overwrites the data with 1's and 0's so that it can't be reversed and the data can't be recreated.)
Encryption encrypts those 1's and 0's in a systemic way, so that (if you have the key) you can reverse the process and get the original information... but someone without the key can't.
That's a very, very simplified explanation that doesn't even go into what the CPU does, much less how this works with websites and internet connectivity. I'll post more another time.
I suppose the best place to start is with binary.
Computing, for most people, is a bit like driving a car. That is, we all know how to put the key in the ignition, start a car, turn the steering wheel (to direct the car), press the accelerator and the brake, select forward or reverse, and so on and so forth... but most people don't necessarily understand what is going on behind the scenes. What happens when you press the brakes, or accelerator, or turn the wheel.
By the same token, we all know how to turn on a computer (or smartphone), how to surf the internet, how to point and click with a mouse or type with a keyboard... but we don't necessarily understand what the computer is doing behind the scenes to make the magic happen. How does it know what a particular mouse click means? Or how to interpret what we type in a keyboard? How does it know what to do when we type a URL in an internet browser?
The very, very basics come down to binary. Most computers use electricity, of course, so it's all tied to electrical signals. On or off. (You can actually create computers using other means, so long as you have some way of indicating 1 or 0... like punch cards, which can be punched or not punched. It's just that electrical signals can be fast, and we can create electrical circuits that do the calculations with a very small amount of space.)
The computer gets a series of 1s and 0s, and it knows how to interpret them based on computer architecture and the efforts of previous computer scientists to build a framework for interpreting a particular sequences of 1s and 0s. In some cases, that series of 1s and 0s might indicate a particular action to take (the machine language of that particular system), or a memory location where the data is stored, or the actual data stored at that location.
Behind the scenes, your computer is processing all sorts of 1s and 0s to store numbers and act on numbers, and it can process thousands of instructions every second.
The words I type here can be coded in binary (ASCII says that certain strings of 1 and 0 refer to specific letters. So the word 'word' can be coded as 01110111 01101111 01110010 01100100.) Again, computers build upon all the work that came before, and things like ASCII were created so we had a consistent way of coding 1s and 0s to indicate letters. (There are other encoding formats, like UTF-8 and UTF-32. Since computers are used for languages that don't use the Roman alphabet, it's important to have codes for all the other possible symbols.)
The machine needs to know how to interpret any particular series of 1's and 0's, whether it indicates a letter, or Chinese character, or number, or instruction, or memory location.
We have problems understanding binary, of course, so we have ways of making this more human readable. (Hexadecimal, or a base-16, can seriously reduce how much space it takes to write binary. We're most familiar with decimal, of course, but using 'A' for 10, 'B' for 11, and so on until you get 'F' for 15 is convenient. It's basically because four binary numbers can be represented by one hexadecimal number. Since computers are often groups in sets of 8, or a byte, two hex characters can represent a byte. So 'word', in hex, is 776F7264. 77 is 'w', 6F is 'o', 72 is 'r', and 64 is 'd'. It's useful for a variety of reasons, and very basic machine instructions are often shown in hex instead of binary because it's easier for humans to understand... just remember that the computer still sees it as a string of 1s and 0s.)
Digital forensics... well. Every file you have is stored somewhere as a series of 1s and 0s, with some additional information (the header, for example) that helps the computer understand what that sequence of numbers means. The header might have a string of 1s and 0s indicating it's a jpg picture, or docx word document, and in hex that header would be 'FF D8 FF E0 00 10 4A 46 49 46 00 01 01' for jpg, or 'D0 CF 11 E0 A1 B1 1A E1' for a .doc file.
When you delete a file, the computer doesn't erase all those 1s and 0s. It just changes a bit (a bit being one digit that's either 1 or 0) to indicate that that space is now free, and if/when you save something else it *might* decide to save it where the old file used to be. (Actually, anyone who has deleted a file to the trash bin knows there's two levels of 'delete'. The first delete makes a small change that puts it in the trash bin, but you can still 'restore' the file as the computer won't try saving anything where that file exists. When you empty the trash bin and 'permanently' delete it, the computer now considers that space fair game.)
That's part of how digital forensics works... it can find the series of 1s and 0s still in existence. If all that was changed was the bit indicating whether the space was available or not, it can undelete the entire file. So long as it's not been written over already. (There's more to it than that. Sometimes something is saved over part of the previous file's data, so you might lose the beginning portion and still be able to understand what the rest of the file held. And if the information was overwritten in a known process, you can reverse the process to recreate what used to be there. I now understand what some of the IT guys in the military were talking about when they digitally 'shred' something... they're basically running a program that repeatedly overwrites the data with 1's and 0's so that it can't be reversed and the data can't be recreated.)
Encryption encrypts those 1's and 0's in a systemic way, so that (if you have the key) you can reverse the process and get the original information... but someone without the key can't.
That's a very, very simplified explanation that doesn't even go into what the CPU does, much less how this works with websites and internet connectivity. I'll post more another time.
Good Article on Self-Doubt
https://medium.com/s/reasonable-doubt/the-constructive-power-of-self-doubt-e1e33b8394cd
Thursday, February 21, 2019
Sobering look at diversity in America
https://www.theatlantic.com/politics/archive/2019/02/americans-remain-deeply-ambivalent-about-diversity/583123/
Sunday, February 17, 2019
Trump's National Emergency
I started reading this and discovered that it fit my understanding of the situation well, with even more detail on previous exercises in presidential power.
I hadn't heard some of it before (like the benefits of hypocrisy) and want to think about it further.
Still, I find the current situation disturbing and this article lays out a lot of the reasons why.
Edited to add: the Facebook conservatives I know has for the most part been quiet on the topic, which I choose to mean they're all uncomfortable with it. Except one. I normally don't bother responding to shared memes that are more about virtue signaling than anything else (pictures with some statement, shared with the intention of showing you agree and expecting everyone else to agree as well, not a signal of any interest in discussing the issue) but I made an exception here. It struck me as important to speak out against it. Anyways, he posted something else, I responded, and his last response was essentially saying Soros got Obama elected. I don't think there's much more to say after that. Maybe?
Friday, February 15, 2019
Random
Heard about this and decided to check it out, as I've never read Twilight but oh have I heard about it.
It's interesting in part because so many girls are drawn to this stuff, and her explanation for why rings true.
https://cleolinda.livejournal.com/602881.html
Wednesday, February 13, 2019
Cyber-Security Analogy, Cont.
Let's get back to the wizard in my analogy, and the challenges of mass production.
One of my classes covered material for the Certified Ethical Hacker (CEH) exam, which deals with penetration testing. For those who don't know, you get hired to try and hack into a business so that business can make themselves more secure. Being a penetration tester uses some of the exact same tools a hacker does, except it's done at the request of the target and comes with more report writing. Or so I hear.
We had some lab assignments to go with the academic material, and had a virtual lab with virtual machines that we tried hacking into. Metasploit is probably one of the best known tools for this, and it can be used by good and bad guys alike. We also dealt with stuff like Poison Ivy, and created some phishing e-mails and the like.
I brought up Metasploit because the software contains exploits for all sorts of vulnerabilities. You just have to figure out what type of system you're targeting select the exploit you want to use, and run it. Then bam! You're in, and can do all sorts of nasty things.
You don't have to know how to create the exploit yourself, you just run the program and let it do the work for you. (You probably want to learn a bit about what a defender would see when you do that, and how to minimize the risk, but that's a lot easier to teach then learning how to code an exploit yourself.)
Thus my original analogy, and comments on how mass producing guns changed things. You've got a 'wizard' that can create a program to exploit a vulnerability, a 'spell' if you will. They can either keep it to themselves or share it with everyone else, giving all potential attackers a 'spell' that will find hidden doors in the wall.
The spells themselves are not necessarily the problem, in that defenders use the exact same spells to test their defenses and brick up doors. The real problem is the wizard, and the system for distributing spells.
And that's about where I'll call this whole series of posts to a halt. I'm not entirely sure what the system is for distributing exploits, other than that you can see the results in Metasploit and other such programs. I've heard that organized crime has an entire system for this, so maybe understanding the Dark Net would help me come up with ideas on how to target that? Or should I just assume dissemination is a given, and ignore that entirely?
And as for the wizard... Hmmm. Targeting them gets into some of the same problems with attribution that I mentioned earlier. Though I suppose you could also try coming up with a program to turn them away from the dark side? I'm not sure how many would be interested in that, though. I don't really have a good profile for what the typical wizard is like, what motivates them to do what they do, etc.
Meh. Whatever. These are just some initial thoughts on the topic, based on what I've learned so far.
One of my classes covered material for the Certified Ethical Hacker (CEH) exam, which deals with penetration testing. For those who don't know, you get hired to try and hack into a business so that business can make themselves more secure. Being a penetration tester uses some of the exact same tools a hacker does, except it's done at the request of the target and comes with more report writing. Or so I hear.
We had some lab assignments to go with the academic material, and had a virtual lab with virtual machines that we tried hacking into. Metasploit is probably one of the best known tools for this, and it can be used by good and bad guys alike. We also dealt with stuff like Poison Ivy, and created some phishing e-mails and the like.
I brought up Metasploit because the software contains exploits for all sorts of vulnerabilities. You just have to figure out what type of system you're targeting select the exploit you want to use, and run it. Then bam! You're in, and can do all sorts of nasty things.
You don't have to know how to create the exploit yourself, you just run the program and let it do the work for you. (You probably want to learn a bit about what a defender would see when you do that, and how to minimize the risk, but that's a lot easier to teach then learning how to code an exploit yourself.)
Thus my original analogy, and comments on how mass producing guns changed things. You've got a 'wizard' that can create a program to exploit a vulnerability, a 'spell' if you will. They can either keep it to themselves or share it with everyone else, giving all potential attackers a 'spell' that will find hidden doors in the wall.
The spells themselves are not necessarily the problem, in that defenders use the exact same spells to test their defenses and brick up doors. The real problem is the wizard, and the system for distributing spells.
And that's about where I'll call this whole series of posts to a halt. I'm not entirely sure what the system is for distributing exploits, other than that you can see the results in Metasploit and other such programs. I've heard that organized crime has an entire system for this, so maybe understanding the Dark Net would help me come up with ideas on how to target that? Or should I just assume dissemination is a given, and ignore that entirely?
And as for the wizard... Hmmm. Targeting them gets into some of the same problems with attribution that I mentioned earlier. Though I suppose you could also try coming up with a program to turn them away from the dark side? I'm not sure how many would be interested in that, though. I don't really have a good profile for what the typical wizard is like, what motivates them to do what they do, etc.
Meh. Whatever. These are just some initial thoughts on the topic, based on what I've learned so far.
Cyber-Security Analogy, Cont.
If you want to change the threat environment, you can also consider ways of reducing the number of attackers. Right now it's really, really, really difficult to hold attackers accountable. It's not just that they can fake their id's, it's also that they may come from or pass through other nations on their way to attack your castle. And we don't necessarily have any sort of agreements with those nations that would allow us to enforce our laws on them.
While I do think we need better international cooperation to hold attackers accountable, there's another issue at work here. How do you identify someone as an attacker in the first place? How do you trace back their identifier to the original person?
Tackling that problem is something I have reservations about, in that it's great to focus on that if you want to catch bad guys, but it also is something that can be used to oppress or suppress good people. Consider what I'd said about wanting to explore the Dark Net, and wanting VPN and whatnot before doing so. My reasoning for all of that?
I want to understand the world on a holistic level... and the darker side is part of that. Can we truly understand economics, for example, without understanding the role shadow economics plays in it? I don't know... I don't think there's any equivalent to GDP for the underground economy. There might be a few studies that explore how money gets laundered and how much of it comes back into the legitimate economy, I dunno. Maybe the underground economy isn't large enough to really impact anything, maybe our economists can make sound decisions without ever considering that side of things... But how would we know if we never even consider the possibility?
It's a bit like how some biologists really love looking into how an ecology handles decay. Would there be horrible ecological consequences if we got rid of nasty critters like mosquitoes and flies? You don't know unless you look into it. (I think I read that we could get rid of mosquitoes with little to no consequences, which would be awesome if true and doable.)
The Dark Net seems like a good place to get a better understanding of the shadows in our world, but I have some serious trepidations about going there. It's like turning over a rock, or spelunking in a cave. I'm not sure what I'll find, I'm not sure what I would do with what I'd find, that sort of thing. But... I do know that before I go spelunking in such dark caverns I'd want to do my darndest to make sure nobody there could ever trace me back to my physical address. So I want a VPN service, might try to use Tor, that sort of thing. (I haven't tried too much to maintain privacy online so far, tbh. I know a lot of computer people who flat out refuse to use Facebook any more, but I still have a lot of friends and family there and haven't completely opted out yet.)
Bringing this back to cybersecurity - any attempt to make it easier to identify people online will also make it easier for abuse to happen. Like authoritarian governments tracking down dissidents, or online mobs doxxing people they don't like.
I have reservations about making it easier to identify people online, but I also know that attribution is especially important if we're dealing with a nation/state threat level and want to deter attacks.
How could Ukraine hold Russia accountable for the 2017 Petya attacks, and prevent any future such attacks from occurring, when Russia denies involvement and calls the accusations "unfounded blanket accusations".
Cyber-Security Analogy, Cont.
My previous analogy was... well, not an exact description of things. For example, a denial of service attack would be more like someone creating a bunch of clones to try to get through the gate. So many are trying to get through that it creates a really long line, and all other (legitimate) traffic gets fed up with the wait and leaves.
And you can also imagine that everyone trying to get through the gate has a unique number, identifying their origin. You can fake the number, of course, but you have to have a number of some sort. The clones might all share the same number (one attacker using one computer to generate a flood of attacks) or they might all have unique numbers (one attacker using a botnet under their control to generate attacks). The gate guards can potentially use that number to identify attackers and clear them out.
But...
That's not really why I created the analogy in the first place. I did it to create a different frame of reference, so I could look at the problem in a different way.
For example, much of cyber-security is focused on handling the daily attacks... figuring out ways of improving security at the gate, or blocking up the not-so-secret doors in the walls, or training people so that they don't throw ropes over the wall to let an attacker in.
Each of those fields has their cat-and-mouse, fast-paced development. Someone finds a new 'secret' door in the wall. If it's an enemy, they may keep it to themselves (a 'zero-day' attack that nobody knows about and can't defend against) or try to share it with everyone. If it's a defender, they may try blocking it up with bricks.
If/when both sides grow aware of it, there's a race between the defender to block it up and the attacker... where an enemy wizard creates a new spell to find the door, and spreads that information to all the people interested in getting into the castle. Does the door get blocked before an attacker gets through? Who knows?
All of that is necessary just to stay on top of things, but it doesn't really change the nature of the game.
Or perhaps it does, in the long run. Maybe. If the defenders can find and secure all the doors faster than new ones are found and exploited.
Maybe, someday, getting into the castle will become so difficult that most of the casual attacks drop off.
It'll probably be a long time before that happens, though.
So, what would change the nature of the game?
From my (very superficial, noobie) awareness, there are a couple of different ideas on how to do handle this.
For example, some people want to just rebuild the castle entirely, making sure that this time there are no secret doors or hidden passageways. (I think this gets into Trusted Computing, as well as the push for more secure software, holding software providers liable for vulnerabilities, and probably some other stuff I don't really know much about).
There are quite a few challenges to this goal, though. Imagine trying to rebuild a castle while you're still living in it and working out of it. Assuming you can make something entirely secure in the first place (there are arguments about that, and I don't have enough experience to have my own opinion on it. I mean, systems are complex and it's possible that we can't secure them entirely... but finding and fixing a security flaw like the infamous buffer overflow doesn't necessarily mean that doing so creates another vulnerability elsewhere, so in theory you should be able to secure it all? Maybe? Let me get back to this when I have a better idea of what I'm talking about.)
For anyone unaware - quite a bit of computer technology is concerned with "backwards compatibility". That way all your old programs and things will still work on the new system. It also, unfortunately, means that technology has all these 'kludges', or remnants of things that were necessary back when computers were built a certain way, but aren't now. Or rather, they're only needed now for backwards compatibility. And early computing was more trusting than we are now, so some security issues are intrinsic to decisions made way back when. If you could redesign everything from scratch, incorporating what we now know, things might possibly be different. But that would require a massive investment in time, energy, and money. There are, apparently, still numerous computers using really ancient software because businesses rely on that software and haven't been able to find an alternative on anything more recent. (Many tech people seem to have stories of someone finding an old system that nobody knows what it's used for any more, powering it off because something that old can't possibly be important any more, and discovering that doing so made it impossible for the business to function any more.)
Anyways. Rebuilding from scratch seems massively complicated, though there's some potential to the idea. Especially if you go with a gradual rollout, so businesses can adjust as their existing systems wear out and they have to buy new ones. (Sort of like the transition from IPV4 to IPV6, though you still have a lot of systems that requires the ability to use both.)
There's also the idea that we could secure the castle if we just held software vendors accountable for their software. That is, the hidden doors in your wall are not necessarily just from what you built. Or Microsoft, or Linux, or Apple. The operating system might have vulnerabilities, but any software you add to your computer can also come with vulnerabilities. So even if your operating system is secure, even if all known doorways are bricked up, if you downloaded and installed something (like an internet browser, or a game, or an application to manage your finances, or anything) that software might also create a hidden door in your castle walls.
And software companies, apparently, are well known for releasing products as quickly as they can... and fine-tuning them after they've gone public. Think of every new Windows operating system, or the time it took for Pokemon Go to smooth out all the bugs. The public acts as the final phase of testing for much of what gets released.
And, well... software is complicated. You can test, and test, and test, and probably won't find everything until you're doing it for real. Like when we changed our warehouse management system at my old company... I tested the heck out of it, but some things didn't become apparent until we were dealing with the number of users and orders we did on a daily basis. It's hard for a test environment to duplicate everything, and some problems are probably inevitable.
But that doesn't seem to be the real problem with this solution. After all, it shouldn't be too hard to have a reasonable standard of what is 'inevitable parts of producing a new product' and what is 'sheer laziness and the desire to make money quick'.
The real problem is that, in our current environment, nobody wants to add regulation that will unduly burden software vendors. Or maybe we don't need regulation, maybe we just need a really big lawsuit holding someone (Adobe, or Microsoft, or Google, or Apple, etc) accountable for the losses a business had when an attacker exploited a vulnerability in their product. Assuming you can, since I think we all tend to pro forma sign one of those Terms of Service that they'll probably use to deny liability for any such thing. Still, if software vendors have to pay a really large fee for any mistakes in their code, they'll probably start spending more money on development and testing for security in their product before releasing something new.
And if the case is big enough, and the vendor penalized enough, everyone else in the industry will take notice and start doing the same.
It may not stop attacks entirely, but it would at least make sure that there were fewer hidden doors to find. Of course, it would probably also slow down the software development process.
So those are just a few possible solutions. There's another way of looking at this, though.
I came up with the analogy I did because I wanted to think about what it meant, this mass distribution of the ability to hack into a target. The 'wizards' creating 'spells' that anyone could use.
Hmmm, before I focus on that I want to talk about something else.
Actually, given how long this is getting Imma gonna stop right here and start a new post.
And you can also imagine that everyone trying to get through the gate has a unique number, identifying their origin. You can fake the number, of course, but you have to have a number of some sort. The clones might all share the same number (one attacker using one computer to generate a flood of attacks) or they might all have unique numbers (one attacker using a botnet under their control to generate attacks). The gate guards can potentially use that number to identify attackers and clear them out.
But...
That's not really why I created the analogy in the first place. I did it to create a different frame of reference, so I could look at the problem in a different way.
For example, much of cyber-security is focused on handling the daily attacks... figuring out ways of improving security at the gate, or blocking up the not-so-secret doors in the walls, or training people so that they don't throw ropes over the wall to let an attacker in.
Each of those fields has their cat-and-mouse, fast-paced development. Someone finds a new 'secret' door in the wall. If it's an enemy, they may keep it to themselves (a 'zero-day' attack that nobody knows about and can't defend against) or try to share it with everyone. If it's a defender, they may try blocking it up with bricks.
If/when both sides grow aware of it, there's a race between the defender to block it up and the attacker... where an enemy wizard creates a new spell to find the door, and spreads that information to all the people interested in getting into the castle. Does the door get blocked before an attacker gets through? Who knows?
All of that is necessary just to stay on top of things, but it doesn't really change the nature of the game.
Or perhaps it does, in the long run. Maybe. If the defenders can find and secure all the doors faster than new ones are found and exploited.
Maybe, someday, getting into the castle will become so difficult that most of the casual attacks drop off.
It'll probably be a long time before that happens, though.
So, what would change the nature of the game?
From my (very superficial, noobie) awareness, there are a couple of different ideas on how to do handle this.
For example, some people want to just rebuild the castle entirely, making sure that this time there are no secret doors or hidden passageways. (I think this gets into Trusted Computing, as well as the push for more secure software, holding software providers liable for vulnerabilities, and probably some other stuff I don't really know much about).
There are quite a few challenges to this goal, though. Imagine trying to rebuild a castle while you're still living in it and working out of it. Assuming you can make something entirely secure in the first place (there are arguments about that, and I don't have enough experience to have my own opinion on it. I mean, systems are complex and it's possible that we can't secure them entirely... but finding and fixing a security flaw like the infamous buffer overflow doesn't necessarily mean that doing so creates another vulnerability elsewhere, so in theory you should be able to secure it all? Maybe? Let me get back to this when I have a better idea of what I'm talking about.)
For anyone unaware - quite a bit of computer technology is concerned with "backwards compatibility". That way all your old programs and things will still work on the new system. It also, unfortunately, means that technology has all these 'kludges', or remnants of things that were necessary back when computers were built a certain way, but aren't now. Or rather, they're only needed now for backwards compatibility. And early computing was more trusting than we are now, so some security issues are intrinsic to decisions made way back when. If you could redesign everything from scratch, incorporating what we now know, things might possibly be different. But that would require a massive investment in time, energy, and money. There are, apparently, still numerous computers using really ancient software because businesses rely on that software and haven't been able to find an alternative on anything more recent. (Many tech people seem to have stories of someone finding an old system that nobody knows what it's used for any more, powering it off because something that old can't possibly be important any more, and discovering that doing so made it impossible for the business to function any more.)
Anyways. Rebuilding from scratch seems massively complicated, though there's some potential to the idea. Especially if you go with a gradual rollout, so businesses can adjust as their existing systems wear out and they have to buy new ones. (Sort of like the transition from IPV4 to IPV6, though you still have a lot of systems that requires the ability to use both.)
There's also the idea that we could secure the castle if we just held software vendors accountable for their software. That is, the hidden doors in your wall are not necessarily just from what you built. Or Microsoft, or Linux, or Apple. The operating system might have vulnerabilities, but any software you add to your computer can also come with vulnerabilities. So even if your operating system is secure, even if all known doorways are bricked up, if you downloaded and installed something (like an internet browser, or a game, or an application to manage your finances, or anything) that software might also create a hidden door in your castle walls.
And software companies, apparently, are well known for releasing products as quickly as they can... and fine-tuning them after they've gone public. Think of every new Windows operating system, or the time it took for Pokemon Go to smooth out all the bugs. The public acts as the final phase of testing for much of what gets released.
And, well... software is complicated. You can test, and test, and test, and probably won't find everything until you're doing it for real. Like when we changed our warehouse management system at my old company... I tested the heck out of it, but some things didn't become apparent until we were dealing with the number of users and orders we did on a daily basis. It's hard for a test environment to duplicate everything, and some problems are probably inevitable.
But that doesn't seem to be the real problem with this solution. After all, it shouldn't be too hard to have a reasonable standard of what is 'inevitable parts of producing a new product' and what is 'sheer laziness and the desire to make money quick'.
The real problem is that, in our current environment, nobody wants to add regulation that will unduly burden software vendors. Or maybe we don't need regulation, maybe we just need a really big lawsuit holding someone (Adobe, or Microsoft, or Google, or Apple, etc) accountable for the losses a business had when an attacker exploited a vulnerability in their product. Assuming you can, since I think we all tend to pro forma sign one of those Terms of Service that they'll probably use to deny liability for any such thing. Still, if software vendors have to pay a really large fee for any mistakes in their code, they'll probably start spending more money on development and testing for security in their product before releasing something new.
And if the case is big enough, and the vendor penalized enough, everyone else in the industry will take notice and start doing the same.
It may not stop attacks entirely, but it would at least make sure that there were fewer hidden doors to find. Of course, it would probably also slow down the software development process.
So those are just a few possible solutions. There's another way of looking at this, though.
I came up with the analogy I did because I wanted to think about what it meant, this mass distribution of the ability to hack into a target. The 'wizards' creating 'spells' that anyone could use.
Hmmm, before I focus on that I want to talk about something else.
Actually, given how long this is getting Imma gonna stop right here and start a new post.
Tuesday, February 12, 2019
Cyber-Security, an Analogy
I applied to a few more places this morning, watched a video or two for Cybrary
(does free Cyber Security training. Though they offer a lot more if you
pay a monthly fee. The training and mentorship sounds amazing, but I
don't think I can commit to paying that fee until I have a reliable
source of income again. Which really rather sucks. Ah, the things I
would do if I had the resources right now! I think I'd get VPN, and try
exploring the Dark Net a bit. Buy a new laptop, I wonder if I could get a
hypervisor one and set up multiple VMs? One for Kali Linux, one for
Windows... I suppose I could try doing it with what I have, and maybe
I'm just making excuses for doing nothing, but my current setup is...
just not conducive to it.)
Anyways, I was remembering something from my undergrad years and figured I'd share it here:
I think I had a stint where I answered phones for our ROTC dept, or something, because I remember raiding the military library in the back and reading quite a bit of what I found. Most of it was fairly typical stuff. World War II stuff, like A Bridge Too Far. Or Vietnam, or the Civil War. One book I found particular fascinating discussed the evolution of military technology and it's impact on how we fought. I tried looking it up much later, and I think it was called From Crossbow to H-Bomb. I may be pulling info from various other things as well, but it's interesting how something like a stirrup or crossbow or gun can change the way we fight.
Guns, in particular, were interesting because up until then a fighter had to go through years of specialized training, and spend quite a bit of money. Learning to use a sword is not something you can do quickly, and if you want to talk about knights you also have to talk about the cost of their horses and armor.
Guns, on the other hand, are something you can train people to use within a couple of weeks to months worth of time. Not only that, but you can train women to use them, and they'll be just as effective as the next guy. They were, in some ways, an equalizer in that a peasant army could reasonably challenge the nobility on the battlefield with only minimal training. (Add in mass manufacturing and, well, the current military environment is very, very different.)
There was also some stuff about whether military technology favors defense or offense. For example, castles were built back when it favored defense. A well designed castle, so long as it had food and water, was nigh impenetrable. Sure, a besieging force might have sappers undermine the wall or find some other way through it, but it took time. Laying siege to a castle could take years, and it was too dangerous to just go around them since it often left an enemy to your rear.
But things changed and walls are pretty much useless now.
Just consider how easily we can send bombers over them, and I'm not even mentioning modern artillery. Heck, a tank can probably take out a wall in reasonably good time, though I'm a little unsure how long it would take to create a hole in a really thick castle wall.
Really, current technology favors offense and will probably continue to do so unless/until we learn how to make force fields. (And maybe that's a prediction people will laugh at in a couple of hundred years, too.)
Anyways, thinking of castles, military technology, and all that reminded me of cybersecurity.
If I were to make an analogy - current defenders are trying to protect their castle. I'm oversimplifying that, as within the castle walls are towers that have their own security and constantly communicate with each other, but let's keep it simple.
Defending the castle.
The current threat environment, on the other hand, goes something like this. Expert hackers have learned how to mass manufacture magical spells and guns. Someone might march up to the castle and cast a spell, suddenly creating multiple clones of themselves that launch attacks on the castle... preventing anyone from going in or out. (In other words, a botnet launching a denial-of-service attack).
When the path to the castle is clear, others approach the front gates and use a magical spell to make themselves look like one of the castle citizens. They pass through security and onward into the castle.
Still others wander around the walls of the castle, casting spells that allow them to find hidden doorways and secret passageways.
And then there are still more attackers, who have information on people within the castle and are trying to convince them to let down a rope.
That's not even including the disgruntled castle citizen that decides to let down a rope or throw open a hidden door of their own volition.
Some of the attackers are doing it for fun, others are doing it to make money, and still others represent enemy nations, but they all have access to magical spells.
The problem isn't just the multitude of ways they can attack, the problem is also that the ability to attack has become mass-produced, so that all these various attacks may be occurring simultaneously. Numerous times a day.
And that is the current threat environment.
Anyways, I was remembering something from my undergrad years and figured I'd share it here:
I think I had a stint where I answered phones for our ROTC dept, or something, because I remember raiding the military library in the back and reading quite a bit of what I found. Most of it was fairly typical stuff. World War II stuff, like A Bridge Too Far. Or Vietnam, or the Civil War. One book I found particular fascinating discussed the evolution of military technology and it's impact on how we fought. I tried looking it up much later, and I think it was called From Crossbow to H-Bomb. I may be pulling info from various other things as well, but it's interesting how something like a stirrup or crossbow or gun can change the way we fight.
Guns, in particular, were interesting because up until then a fighter had to go through years of specialized training, and spend quite a bit of money. Learning to use a sword is not something you can do quickly, and if you want to talk about knights you also have to talk about the cost of their horses and armor.
Guns, on the other hand, are something you can train people to use within a couple of weeks to months worth of time. Not only that, but you can train women to use them, and they'll be just as effective as the next guy. They were, in some ways, an equalizer in that a peasant army could reasonably challenge the nobility on the battlefield with only minimal training. (Add in mass manufacturing and, well, the current military environment is very, very different.)
There was also some stuff about whether military technology favors defense or offense. For example, castles were built back when it favored defense. A well designed castle, so long as it had food and water, was nigh impenetrable. Sure, a besieging force might have sappers undermine the wall or find some other way through it, but it took time. Laying siege to a castle could take years, and it was too dangerous to just go around them since it often left an enemy to your rear.
But things changed and walls are pretty much useless now.
Just consider how easily we can send bombers over them, and I'm not even mentioning modern artillery. Heck, a tank can probably take out a wall in reasonably good time, though I'm a little unsure how long it would take to create a hole in a really thick castle wall.
Really, current technology favors offense and will probably continue to do so unless/until we learn how to make force fields. (And maybe that's a prediction people will laugh at in a couple of hundred years, too.)
Anyways, thinking of castles, military technology, and all that reminded me of cybersecurity.
If I were to make an analogy - current defenders are trying to protect their castle. I'm oversimplifying that, as within the castle walls are towers that have their own security and constantly communicate with each other, but let's keep it simple.
Defending the castle.
The current threat environment, on the other hand, goes something like this. Expert hackers have learned how to mass manufacture magical spells and guns. Someone might march up to the castle and cast a spell, suddenly creating multiple clones of themselves that launch attacks on the castle... preventing anyone from going in or out. (In other words, a botnet launching a denial-of-service attack).
When the path to the castle is clear, others approach the front gates and use a magical spell to make themselves look like one of the castle citizens. They pass through security and onward into the castle.
Still others wander around the walls of the castle, casting spells that allow them to find hidden doorways and secret passageways.
And then there are still more attackers, who have information on people within the castle and are trying to convince them to let down a rope.
That's not even including the disgruntled castle citizen that decides to let down a rope or throw open a hidden door of their own volition.
Some of the attackers are doing it for fun, others are doing it to make money, and still others represent enemy nations, but they all have access to magical spells.
The problem isn't just the multitude of ways they can attack, the problem is also that the ability to attack has become mass-produced, so that all these various attacks may be occurring simultaneously. Numerous times a day.
And that is the current threat environment.
Sunday, February 10, 2019
Twitter Thread
It started out discussing racism, conversations about it, and how it's not necessarily a good thing to initiate them.
It shifted a but, explaining the former, into discussing how such conversations often aid the perpetrators desire to be forgiven, and sometimes the aggrieved party isn't ready to do that.
And it's not right to put them on the spot like that when they aren't ready to, in some ways it (yet again) hurts them.
And when the author got across that they may not be forgiven, might get yelled at or shouted at, it was a much different story.
https://twitter.com/shrinkthinks/status/1093270453236436992?s=09
Saturday, February 9, 2019
Somewhat disturbing, actually
https://yesmeansyesblog.wordpress.com/2011/03/21/mythcommunication-its-not-that-they-dont-understand-they-just-dont-like-the-answer/
Tuesday, February 5, 2019
Another Great Article
https://www.fordfoundation.org/ideas/equals-change-blog/posts/the-coming-of-hope-a-vision-for-philanthropy-in-the-new-year/
Monday, February 4, 2019
Phew.
Buckled down and did a bit of (much needed) job hunting this morning. Applied to a couple of places, called a couple of places, followed up on a couple of things.
It really, really sucks. But if I do a little bit each day, something is eventually bound to work out.
It really, really sucks. But if I do a little bit each day, something is eventually bound to work out.
Sunday, February 3, 2019
Repentance, a Twitter Discussion
I kind of liked what this person was saying, and decided to share the tweet.
Also thought the comments were informative, in a different way.
Subscribe to:
Posts (Atom)